Solaris (Trademark of Sun Microsystems) operating system, the following conditions must be 
checked: (1) the scanned server is running the Solaris operating system, and (2) the scanned 
server is running LPD. Thus, the rules are constructed to define a vulnerability if these two 
conditions are present. 





Cancel claims 1-4 and add new claims 5-40 as follows: 



network to determine vulneral 



A system for protecting a network, comprising: 
a vulnerability detection system (VDS) for gathering information about the 



ilities of a host on the network; and 



an intrusion detection system (IDS) for examining network traffic responsive 
to the vulnerabilities determined by the VDS to detect traffic indicative 
of malicious activity. 



6. The system of claim 5, whereiil the VDS is adapted to gather information 
about the network by sending data to the host and receiving responsive data from the 
host. 

7. The system of claim 5, wherein the VDS is adapted to gather information 
automatically provided by the host. 



8. The system of claim 5, furtto 
a vulnerabilities rules database, 

rules describing vulnerabilities 
wherein the VDS is adapted to 

to determine the vulnerabilities 



r comprising: 

in communication with the VDS, for storing 
of the host, 

malyze the gathered information with the rules 
of the host. 
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1 9. The system of claim 8, wherein the VDS is adapted to analyze the gathered 

2 information with the rules to identify an operating system on the host and determine the 

3 vulnerabilities responsive to the operating system. 

1 10. The system of claim 8, /wherein the VDS is adapted to analyze the gathered 

2 information with the rules to identify an open port on the host and determine the 

3 vulnerabilities based on the open por 

1 11. The system of claim 8, wherein the VDS is adapted to analyze the gathered 

2 information with the rules to identify an application executing on the host and determine 

3 the vulnerabilities based on the application. 



1 

2 

1 
2 
3 



12. The system of clairii 5, further comprising: 
an intrusion rules database, in communication with the IDS, for storing rules 

describing malicious activity, 
wherein the IDS is adapted to analyze the network traffic with the rules to 
detect networ k traffic indicative of exploitations of the determined 
vulnerabilities. 

13. The system of claim 5, wherein the IDS is adapted to detect traffic 



indicative of exploitations of 



t 



nly the determined vulnerabilities. 



14. The system of claim S^^ierein the VDS is adapted to verify the 
determined vulnerabilities, and the lpS)s adapted to detect traffic indicative of 
exploitations of only the verified viflrfierabilities. 



1 15. The system of claim 5, wherein the VDS is adapted to update the 

2 determined vulnerabilities, and wherein ^he IDS is adapted to detect traffic indicative of 

3 malicious activity in response to the upflate. 
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1 16. The system of claim 15, wher 

2 determined vulnerabilities in response to a 



1 

2 
3 
4 
5 



1 
2 
3 
4 

1 



1 



in the VDS is adapted to update the 
hange in the network. 



17. A method for protecting a network, comprising: 

gathering information about the r etwork to determine vulnerabilities of a host 

on the network; and 
examining network traffic responsive to the determined vulnerabilities to 

detect network traffic indie ative of malicious activity. 



1 18. The method of claim 1 7, wherlein 

2 data to a host on the network and receiving 



1 19. The method of claim 17, whefein 

2 receiving data automatically provided by thje 



gathering information comprises sending 
esponsive data from the host. 



gathering information comprises 
host on the network. 



20. The method of claim 1 7, flirt ler comprising: 
storing rules to describe vulnerabilities of the host, 

wherein determining vulnerabilities includes analyzing the gathered 
information with the rules. 

21. The method of claim 20, wnerein determining vulnerabilities comprises 



2 analyzing the gathered information with the rules to identify an operating system on the 

3 host. 

1 22. The method of claim 20, w lerein determining vulnerabilities comprises 



2 analyzing the gathered information with 



he rules to identify an open port on the host. 



23. The method of claim 20, wherein determining vulnerabilities comprises 

2 comparing the gathered information against the rules to identify an application on the 

3 host. 
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1 24. The method of claim further comprising: 

2 storing rules describing malicious activity, 

3 wherein detecting network traffic indicative of malicious activity comprises 

4 analyzing the nerwork traffic with the rules to detect traffic indicative of 

5 exploitations of /the determined vulnerabilities. 

1 25. The method of dim 17, wherein examining network traffic consists of 

2 detecting traffic indicative of exploitations of only the determined vulnerabilities. 

1 26. The method of claimi^ further comprising: 

2 verifying determin^^urcrerabilities, 

3 wherein examining neiwprk traffic consists of detecting traffic indicative of the 

4 exploitations >of only the verified vulnerabilities. 

1 27. The method of claim 17, furtmer comprising: 

2 updating the determined vulnerabilities in response to a change in the network; 

3 and detecting traffic indicative of malicious activity in response to the 

4 update. / 

1 28. The method of claim 27, wherein the updating is responsive to a change in 

2 the network. / 

1 29. A computer program product, comprising: 

2 a computer-readable medium having computer program logic embodied therein 

3 for protecting a network, the computer program logic: 

4 gathering information about the network to determine vulnerabilities of a host 

5 on the network; ana 

6 examining network traffic responsive to the determined vulnerabilities to 

7 detect network traffic indicative of malicious activity. 
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1 

2 
3 



comprises sending data to a host on the nei 
host. 



30. The computer program prodi ct of claim 29, wherein gathering information 



vovk and receiving responsive data from the 



1 31. The computer program product 

2 comprises receiving data automatically pibvided by 



of claim 29, wherein gathering information 
the host on the network. 



1 32. The computer program proc uct of claim 29, further comprising: 

2 storing rules to describe vulnerabilities of the host, 

3 wherein determining vulnerabilities includes analyzing the gathered 

4 information with the rul< ;s . 

1 33. The computer program product of claim 32, wherein determining 

2 vulnerabilities comprises analyzing the gathered information with the rules to identify an 

3 operating system on the host. 

1 34. The computer program prolduct of claim 32, wherein determining 

2 vulnerabilities comprises analyzing the gathered information with the rules to identify an 

3 open port on the host. 

1 35. The computer program product of claim 32, wherein determining 

2 vulnerabilities comprises comparing the {gathered information against the rules to detect 

3 an application on the host. 

1 36. The computer program product of claim 29, further comprising: 

2 storing rules describing maliqious activity, 

3 wherein detecting network traffic indicative of malicious activity comprises 

4 analyzing the network! traffic with the rules to detect traffic indicative of 

5 exploitations of the determined vulnerabilities. 
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1 37. The compuj^program product of claim 29, wherein examining network 

2 traffic consists of detecting traffic indicative of exploitations of only the verified 

3 vulnerabilities^ 

1 38. The computer program pwraluct of claim 29, further comprising: 

2 verifying determined vtfmepoilities, 

3 wherein examining netwOTktfaffic consists of detecting traffic indicative of the 

4 exploitations of pmy the verified vulnerabilities. 

1 39. The computer program product of claim 29, further comprising: 

2 updating the determined vulnerabilities in response to a change in the network; 

3 and / 

'4 detecting traffic indicativyof malicious activity in response to the update. 

1 40. The computer program product of claim 29, wherein the updating is 

2 responsive to a change in the network. 
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